In this article, we’ll show how to change a user password in an RDP session on a remote Windows computer. As a remote host, you may have either Windows Server with the configured Remote Desktop Services role (RDSH), or a Windows 10 workstation with one or multiple RDP connections are allowed.
The main problem users come across is that you cannot open a standard password change dialog using the Ctrl + Alt + Delete key combination in a Remote Desktop (RDP) session. This shortcut is not passed to the RDP session, as it runs on your local operating system.
In Windows Server 2003/2008, you could change a user password in RDP by clicking the Start button and selecting Windows Security -> Change Password.
In later versions, including Windows Server 2016/2019/2022 and Windows 10/11, there is no Windows Security item in the Start menu, so this method of changing user password is not applicable.
Change User Password in RDP with CTRL + ALT + END
In current Windows versions, you must use the Ctrl + Alt + End key combination to open the Windows Security dialog in an RDP session. The shortcut is the same as Ctrl + Alt + Delete, but works in an RDP window only. Select Change a password in the menu.
You can now change your password in the standard dialog box (enter your current password and set a new one twice). 
Changing Password Using the On-Screen Keyboard
If you are connected to a Remote Desktop of the Windows host through a chain of RDP sessions, you won’t be able to use CTRL+ALT+END to change a user password. The first RDP window will intercept the keyboard shortcut. In these cases, you can use the built-in Windows On-Screen Keyboard to change the user’s password.
- Run the On-Screen Keyboard in the target RDP session (it is easier to do it by typing
osk.exein the Start menu);
- You will see the On-Screen Keyboard;
- Press
CTRL+ALTon your physical (local) keyboard (this should be displayed on the screen) and then clickDelbutton on the On-Screen keyboard; - So the Ctrl+Alt+Del key combination will be sent to the remote RDP session, and a standard Windows Security dialog box will appear where you can change a password.
If your new password does not meet them, you will see the message below:
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
Note that if a Minimum password age is configured in the domain policy (or in the Fine-Grained Password Policies – PSO), this may prevent a user from changing their password more often than it is specified in the GPO setting.
You can view when a user password expires using PowerShell:
Get-ADUser -Identity jsmith -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") }}
VBS/PowerShell Script to Change Password in RDP Session
You can call a Windows Security dialog box in an RDP session using the built-in Windows tools: VBScript, PowerShell, or a Shell shortcut.
For example, create a WindowsSecurity.vbs text file with the following VBScript code on your desktop:
set objShell = CreateObject("shell.application")
objshell.WindowsSecurity
If you double-click the VBS file, you will see a standard form to change your password.
You can place this VBS file on the shared desktop on your RDS host (%SystemDrive%\Users\Public\Desktop\) or copy file to user desktops using GPO.
In the same way, you can open a password change window from PowerShell. Use the command below:
New-Object -COM Shell.Application).WindowsSecurity()
There is an option to create a Windows File Explorer shortcut with the following link:
C:\Windows\explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}
Changing Passwords via the Remote Desktop Web Access (RDWEB)
If you access your RDP servers through a host with the Remote Desktop Web Access (RDWA) role, you can allow to change the expired password on the RDWA login page (it is described in detail here).
CredSSP NLA & Password Change in RDP
There is an important feature of changing an expired user password in RDP related to Network Level Authentication (NLA) and Credential Security Support Provider (CredSSP) protocol. By default, CredSSP with NLA for RDP is enabled on Windows Server 2012/Windows 8 and newer. NLA protects the RDP server by authenticating the user before establishing an RDP session with the host.
If a user password has expired or an AD administrator has enabled the userAccountControl option “User must change password at next logon” (the most often it is enabled for new AD accounts), you will see the following error when logging on using RDP:
Remote Desktop Connection You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.
As a result, a user cannot connect to a server using RDP and change the password.
In this case, to allow remote users to change their passwords, you can:
- Configure RDWA role with the password change page as described above;
- Disable NLA on your RDP host (not recommended!!! since it significantly reduces the security level of RDP connections) and use a .rdp file with the line
enablecredsspsupport:i:0for connections; - Use a separate RDP host to change user passwords. You don’t need to install the Remote Desktop Session Host role on this host or add users to a local Remote Desktop Users group, but you have to disable NLA. Then users will be able to change their passwords, but won’t be able to logon server via RDP;
- A user can change their password remotely using PowerShell (if they have network access to a domain controller).
1 comment
Thanks Admin!